There has been a great explosion of chatter in the last day around Anonymous’ “Operation Last Resort” (a.k.a. #OpLastResort).

The entities behind the various “official” communications around this operation have a sense of humor that we must point out (especially because if you don’t catch it, you will end up wiping your disk).

Background

In typical fashion with these events, some data suggests that the whole thing (or at least the leak) is a hoax. Regardless of what data resides in the leaked files, it is apparent that someone is having fun, via the embedded scripts in the USSC site. (See the Update section, below, for details on the Konami scripts.)

Anonymous has infiltrated specific US government systems in response to the “killing” of Aaron Swartz, who committed suicide on January 11. According to various posts and other communication channels, the operation is also tied to Barrett Brown and the law-enforcement actions against him. Ussc.gov (and others) have reportedly been compromised, and various caches of sensitive data have been exfiltrated. The first round is a .rar file (composed of multiple raw downloads). Details on how the compromise or breach took place are not clear or reliable. It is likely (though unconfirmed) that part of the initial intrusion was via SQL injection. Based on phrases in the official videos, RATS or other temporary “leakware” may have existed on compromised systems, and have been subsequently removed by the attackers. Reports suggest that the contents of this leak pertains to various U.S. Supreme Court Justices.

The file set includes an official promo video for the operation, as well as a statement:

"Still there is nothing quite as educational as a well-conducted demonstration...

Through this websites and various others that will remain unnamed, we have been 
conducting our own infiltration. We did not restrict ourselves like the FBI to one 
high-profile compromise. We are far more ambitious, and far more capable. Over the last 
two weeks we have wound down this operation, removed all traces of leakware from the 
compromised systems, and taken down the injection apparatus used to detect and exploit 
vulnerable machines.

We have enough fissile material for multiple warheads. Today we are launching the 
first of these. Operation Last Resort has begun... Warhead-US-DOJ-LEA-2013.AEE256 
is primed and armed. It has been quietly distributed to numerous mirrors 
over the last few days and is available for download from this website now. 
We encourage all Anonymous to syndicate this file as widely as possible.

The contents are various and we won't ruin the speculation by revealing them. Suffice 
it to say, everyone has secrets, and some things are not meant to be public. At a 
regular interval commencing today, we will choose one media outlet and supply them 
with heavily redacted partial contents of the file. Any media outlets wishing to be 
eligible for this program must include within their reporting a means of secure 
communications.

We have not taken this action lightly, nor without consideration of the possible 
consequences. Should we be forced to reveal the trigger-key to this warhead, we 
understand that there will be collateral damage. We appreciate that many who work 
within the justice system believe in those principles that it has lost, corrupted, 
or abandoned, that they do not bear the full responsibility for the damages caused 
by their occupation.

It is our hope that this warhead need never be detonated."

This release is the referred-to “warhead”–specifically “Warhead-US-DOJ-LEA-2013.AEE256.” The “trigger key” referred to in the video is the decryption key for the content. Anonymous also indicated that they will, at some interval, release heavily redacted previews of the decrypted content. As of this writing, these have not emerged. We have, however, seen some fake decryption keys making the rounds.

Now, back to the “humor” that I alluded to earlier in this post. Some of the releases around this operation contain the following handy instructions:

If you did not catch it, at the end that’s an “rm” with force and recursion starting at the root.

What else does this operation entail? It is said that a Twitter-Storm campaign will commence on January 25.

"BEGIN THE MESSAGE OF ATTACK on January 25th at 11:59 PM EST"

Full details on this part of the operation are detailed in some of the groups PADs. This will be an interesting operation to pay attention to during the next few days.

What will the next warheads be? When will we start to see decrypted content from any of the warheads circulating? How will various governments react?

Stay tuned.

Update, January 27

The USSC.gov site is still compromised. A special surprise (via embedded JavaScript) awaits those who  recall some of the old Nintendo/Konami codes. Through a series of keystrokes, a script will let you fly various objects around the page, view fireworks, and more.

Upon execution, the script provides some on-screen controls, and you can even control the various objects (including Nyan Cat) via the arrow keys.

Security information and event management (SIEM) systems were invented to help IT security teams within financial services companies, health care providers, defense contractors, and governments address the growing volumes of information security data. An onslaught of well-publicized data breaches followed by public outrage and a surge of regulatory mandates quickly made SIEM must-have technology.

The point product feeding binge

As corporate security officers scrambled to address these issues, virtualization bred even more data and applications that had to be secured and reported on. Companies added new security products—each bringing its own instrumentation and logging requirements. The volume of security data and real-time data streams grew exponentially until SIEM solutions bogged down. Some security teams started turning off SIEM data feeds in an effort to preserve performance. Unfortunately, each disabled data feed created another vulnerability and exposed the enterprise to greater risks.

Time for a big security data fitness plan

So how do you deal with big security data even as your business tightens its belt?

Today you need more relational information about the source, asset, user, and data to provide greater security context and situational awareness. You also need real-time correlation of this information with event flows—including scalable architecture that can keep pace with big security data’s growth.

Add Muscle, Lose Fat

Legacy SIEM solutions don’t have the power to handle big security data. Today, you need a SIEM that includes high-performance architecture to handle reams of security data and easily scales to handle future growth. In other words, you need McAfee Enterprise Security Manager (formerly NitroView). This SIEM powerhouse is specifically built for big security data with a powerful database, appliance options, and the processing power to quickly correlate billions of events and flows.

Boost Your SIEM IQ

The next generation of SIEMs must go beyond simple event analysis to share security intelligence among security components and quickly deliver actionable information. McAfee Enterprise Security Manager achieves this by immediately collecting and analyzing contextual information on events, users, and data, creating and sharing situational awareness among solution components.

• McAfee Global Threat Intelligence further strengthens dynamic threat visibility, providing around-the-clock reputation-based threat intelligence and sharing this insight through integration among solution components.
• McAfee Risk Advisor uses this shared information to help you quickly pinpoint attacks and implement countermeasures.

Achieve Balance and Agility
Big security data requires security tool integration and enterprise-wide visibility. Two-way integration with McAfee ePolicy Orchestrator (ePO) software extends visibility and control across your entire security and compliance environment.

Just like any fitness plan, SIEM requires effort and dedication. It gets easier over time and results become an excellent motivator.

The vulnerability affects all major versions of Microsoft Windows.  In just a matter of moments, attackers can gain total remote control of a system and install malware, keyloggers, and Trojans. A successful attack can lead to corrupted systems and stolen confidential data: intellectual property, credit card numbers, social security numbers, passwords, and more.  Within hours of the Microsoft patch release, public source code to exploit this vulnerability was distributed on the Web.  And, according to Microsoft, by the time the patch was announced targeted attacks had already begun.

Because of the extreme critical nature of the vulnerability, Microsoft recommended immediate deployment of its emergency patch without testing, hitting enterprises with a dilemma.  Should they immediately deploy the out-of-cycle patch and risk impacting or even bringing down production systems?  Or should they continue leaving their systems at risk to a critical vulnerability while IT security is testing the Microsoft patch. Either way, businesses are negatively impacted by additional patch management costs, associated business disruptions, and increased security risk exposure.

This incident reinforces the larger industry issue that companies require zero-day protection, especially during the window of vulnerability – the time between when a vulnerability is discovered and when the patch is deployed to protect the system. Relying solely on patch cycles and signature-based solutions doesn’t protect against unknown, zero-day attacks such as this one. With host intrusion prevention, IT teams can establish a more efficient, well-planned, and controlled patching process. Host IPS puts zero-day vulnerability shielding in place which allows IT staff time to analyze, plan, prioritize, test, and deploy relevant patches. 

While most security vendors struggled frantically to release new signatures for Microsoft’s vulnerability, McAfee customers using Total Protection for Endpoint (including McAfee Host IPS) were already protected. By using Total Protection for Endpoint, McAfee customers have comprehensive, layered security against this vulnerability through zero day protection rules already enabled by default.  McAfee customers apply Microsoft patches on their own schedule following their own procedures to significantly lessen patching costs associated with out-of-band patch cycles.

In fact, non-McAfee customers spent over $250 million to address the unplanned patch cycle. While companies scrambled to get protected and lost precious productivity resulting in lost profits, McAfee customers had peace of mind that their systems were protected at no additional cost. Furthermore, McAfee customers went on with business as usual while unprotected companies spent long hours and late nights to get protected.

The lawmakers suggest that the break-ins were carried out by people who appear to be working from inside China seeking confidential lists of names of dissidents.

Virginia Rep. Frank Wolf said four of his computers were compromised, beginning in 2006. New Jersey Rep. Chris Smith, a senior Republican on the House Foreign Affairs Committee, said two of his computers were attacked, in December 2006 and March 2007.

The Pentagon last month acknowledged that its vast computer network is continuously being scanned or attacked by outsiders. The Air Force in a recruitment ad says the Pentagon is attacked more than 3 million times each day.

As has been well documented by McAfee and by others, cyberattacks are on the rise and are increasingly nefarious. Several years ago hackers defaced Web sites and created fast-spreading worms for glory and notoriety. Today hackers, either part of organized crime rings or backed by governments, hack to steal valuable information and make money.

Government systems have been an increasing target. The number of federal government related cyberincidents reported to the US Computer Emergency Readiness Team (US-CERT) more than doubled to 12,986 in the government’s 2007 fiscal year, which ended Sept. 30. That compares to 5,143 in fiscal 2006.

Computer systems all over the world are under a growing assault from hackers, cyberterrorists and foreign spies looking to steal secrets and disrupt operations. We highlighted the threat of cyberespionage in particular in our Virtual Criminology report late last year.

We applaud the government for being open and upfront about these attacks and taking important steps toward strengthening the protection of its systems. It has been clear to us for a long time that more needs to be done, we’re happy to see the government agrees.

Today I showed an audience of about 4,500 people at VMworld Europe how VMware and McAfee together will be able to protect virtual environments in ways beyond what is available to protect physical environments today.

Our customers are using more and more virtualization. We’ve devoted a lot of time and energy to provide the best protection possible, for both physical and virtualized environments.

Virtualization represents a disruptive change in how the world uses its computing devices. It has also expanded the possibilities for more comprehensive security for the virtualization platforms and the guest operating systems they host.

With the popularity of virtualization and the rush to reap its benefits, security must not become an afterthought. That is why I am excited about today’s big news: VMware VMsafe. With VMsafe, VMware is building adaptable security interfaces as a fundamental part of its products, allowing partners such as McAfee to offer innovative security solutions.

McAfee is the first security company to publicly demonstrate VMsafe. At VMworld we showed how, with VMsafe, we can block a malicious driver being executed in a virtual machine. We also showed that we can scan and clean offline VMs so they are up-to-date when they’re spun up.

We deliver real and meaningful security for virtualized environments today. Our security risk management solutions are fully compatible with VMware virtualization and help organizations create a safe computing environment, spanning virtualized servers, networks and desktops.

In the future, VMsafe could be used in a range of our products, further enhancing the protection. Just as VMware has provided a fundamental change to how computing resources are used, it will allow security technologies to protect virtual environments in ways beyond those possible for a single monolithic OS. VMsafe is the key to that promise.

Aside from our support for VMsafe, we also announced an OEM (original equipment manufacturer) agreement with VMware to use VMware ESX Server in future products. In addition, we announced beta availability of our new Email and Web Security Virtual Appliance, built from the ground up for the VMware platform, and unveiled a new virtual infrastructure security assessment service. 

You can read more about how McAfee secures virtual environments in our news releases and on our virtualization Web site: http://www.mcafee.com/virtualization

Virtually yours,

Christopher

First, and foremost as a security professional, I was struck by how little concern there is in the Mac community for matters of information security and personal information protection. Everyone reading this blog knows there are fewer vulnerabilities and much less of a malware presence on OS X compared to Windows – but I thought at least some of the attendees I encountered would have some interest in the dangers lurking out there.

I presented on the security topic in the Developer area of the exhibit hall and got a respectable number of people in the audience; but I suspect they more sought the comfort of a soft chair rather than my pearls of wisdom regarding securing their MacBooks.

My main message was “Leopard is great and it’s an OS designed with many facets of good security in mind, and therefore I agree with much of the relaxed attitudes regarding use of additional safeguards.” In other words, the sky is certainly not falling.

My sub-message, however, was an overview of the bad stuff out there on the Internet, and how it’s just a matter of time before the professional malware writers target the OS X market as being ripe enough for harvesting credit card numbers and SSNs. In fact, one could argue that this has already begun but is just below the radar.

I pointed out that there is no one silver bullet to protect a user of any computer platform – be that a PC or a Mac. In fact, we employ techniques that go far beyond the conventional antivirus and firewall-blocking approaches for protecting personal information. Techniques such as safe surfing (SiteAdvisor), safe e-commerce (ScanAlert), and Data Leakage Prevention to help prevent sensitive data from inadvertently leaving the computer in the first place.

I found that my audience was indeed pretty interested in the various types of malware, how it operates, what its symptoms are, and what is done with their stolen information. So I guess the effort we made for a security presence in the expo area wasn’t in vain.

A disappointment I had was in missing out on the Steve Jobs keynote that opened the expo. I thought I’d try getting a seat in the front by getting to the Moscone by 6am; but even by then the line wrapped fully around the bock … and these are big blocks! I later understood that people starting lining up for entrance to the keynote at 10pm the night before. Oh well, at least later on I was able to fondle the newly-announced MacBook Air, which is a delightfully thin and light notebook computer. It runs the same OS X as the big brothers in the family, so it ultimately offers us security professionals some additional fertile ground.

All in all, the Mac platform is a great one for developers, users, consumers and enterprises alike. Unfortunately so too for the bad guys … but we’ll be there watching for them.

Why is open source code so important? Well, because a software developer can use open source code instead of spending time developing code that does the same job. Simply said, it doesn’t make sense to reinvent the wheel.

At McAfee we distribute and use open source code including Linux, OpenSSL and Apache, with our products. Linux has proven to be a very solid platform to deliver security appliances, OpenSSL has created some great tools to secure connections and Apache is so robust it prevents us from having to write a Web server every time we need that functionality. And these are just some of the examples.

Because of the availability of open source code we didn’t have to develop the functionality provided by the readily available code ourselves. Instead, we could focus on our core competency: delivering the world’s best security products.

Further, our customers use open source software as well. As a security vendor we cannot ignore that requirement. We have several products available that support Linux, OpenBSD and other well known platforms and projects.

Of course we know that while open source code is freely available, the use and modification of the code incurs some obligations. The requirements differ depending on the applicable license. We are very careful to meet these requirements, doing both legal and technical inspections. For example, if we make any changes to software licensed under the GPL, then we provide those changes with our distribution.

Recently we filed an annual report with the U.S. Securities and Exchange Commission. SEC rules require us to include a detailed list of potential risks we face in our business. Among these risks we also described potential risks associated with our use of open source software, as well as risks associated with our use of any other third party software, regardless of the license type.

Our mention of the open source risk could be misconstrued by people unfamiliar with such regulatory filings as suggesting that these risks are new, unique and dangerous or indicate a negative opinion of the value of open source. Nothing could be farther from the truth. In fact, this risk factor has been included in previous McAfee filings and is similar to open source risks described in current filings from other companies including Symantec, Oracle and many others.

The open source communities around the world continue to provide valuable solutions for many customer problems and for McAfee as well. We’re grateful for that and we are also happy contributors to several open source projects for almost 10 years.

Meet the blogger and read disclaimer information

What’s particularly scary about these numbers is virtually all of this malware is financially motivated. These aren’t just kids having fun. These are serious criminals going after your social security number, your credit card number and your bank routing number. The criminals have figured out that there’s real money to be made, and that attracts even more malware writers to the business. Their techniques are getting stealthier, and the lifespan of each piece of malware is getting shorter, meaning that there isn’t much time for people to catch on before the criminals move on to a new technique.

We expect these trends to continue in 2008 as cybercrime remains a lucrative business. It’s imperative for security vendors to recognize these trends and motivations in order to stay one step ahead. Only by analyzing these new forms of attacks can we find ways to stop them. Avert Labs is at the forefront of this research, and in 2008 we’ll use this research to find new ways to protect our customers from the spread of this malware epidemic.

Given this ongoing rise in global malware distribution, we need broad cooperation between security vendors, government and ISPs to in order to stay ahead of the bad guys.

It’s going to take a coordinated global effort, including:

· Cooperation between Internet Service Providers: ISPs and domain registars need to share information with security companies. In the end, it comes down to a question of privacy considerations versus criminal behavior – but if the ISPs see an unusual amount of activity, it should be flagged. One action that needs to be discussed is how security vendors can work with ICANN to best protect consumers’ identities and personal information.

· Greater involvement with law enforcement: The current legal mandates make catching and prosecuting criminals extremely difficult. Implementing standards and information sharing between departments at a federal level will be necessary to cut hackers off at a geo-political level. Although it’s not something that can be easily done, a coordinated effort and increased legislation is essential.

· Standards for domain registration: Similar to how PCI established a set of standards for the payment card industry, I believe we need standards for domain registrations, including background checks. Hackers are successful because they are able to change domains very quickly.

2008 is a complex time for both consumers and enterprises to protect themselves. If the security industry can’t come together and coordinate a plan, malware and financial losses will continue to reach unprecedented heights. I call on our industry leaders to cooperate and utilize a combination of technology and our legal system to ensure that the bad guys never win.